Karma Hotel Trojan Information

Last update June 2, 2002

This is intended to be used in conjunction with a #nohack op
Do NOT part #NoHack until you are cleaned from this virus

written by Golcor from nohack

Wonderful mIRC 6.0x comes with raw socket ability. It didn't take long for hackers to work that into a karma look alike. The newest version of server.ini has raw sockets that spams users using a different nick. This is achieved by creating raw sockets, writing a string to that socket and then sending the string across the server from a random nick (Guest#####) to a user that joins or parts a channel the infected user is in. The recipient can no longer automatically detect who is sending the spam, because the nick that is sending is different than the nick that is infected. It also send out information, and has some control functions from a channel that has since been closed by DalNet (Good fast work exploits team!)

In addition to the new karma, it has also put an alias into it that disables the remove command, so it is necessary to disable the script first before trying to remove it. The good news is that outside of the remove alias, it is still simple to remove

Click Here to download a FREE fix tool for the IRC.Karma.Trojan. It is a mIRC script so you need to unzip it and load it into mIRC. Be sure to remember where you unzip it to. Winzip default is c:\windows\temp

In mIRC type the following commands to clean the karma and its variants:

          /unload -rs server.ini
          /unload -rs c:\windows\server.ini

          /write clean.bat attrib -r server.ini
          /write clean.bat attrib -r mirc.ini
          /write clean.bat del server.ini
          /write clean.bat del c:\windows\server.ini
          /write clean.bat del clean.bat
          /run clean.bat

The information below should be considered archive.

Click Here to download a FREE fix tool for the IRC.Karma.Trojan. It is in zip format so unzip it with winzip to your desk top and read the readme file included for instructions. This tool must be applied to every copy of mIRC you have.

This Trojan exploits a known bug in Internet Explorer. If a user can be lured into visiting a web page containing malicious VBS code, Internet Explorer will run the code without prompting the user for permission. The Karma Hotel Trojan drops its worm code into every mIRC directory it finds. Then it loads into the remote sections of those mIRC clients. It sets the mirc.ini files to read only problay to prevent users from trying to keep the worm from loading up. This worm then advertises the url of the site it originated from over IRC in order to lure more users to the site.

Prevention is simple, go to Windows Update and click on Product Updates When the page finishes loading, get all the critical updates listed there.

If you are already infected with this Trojan, it is simple to remove. You can remove it with mIRC open or closed:

mIRC Opened
The first thing you need to do is unload the remote script. In mIRC hold down the ALT key and press "R" button. This will open your remote section. Then you just unload the Trojan. Click on View to see a listing of loaded remote. This Trojan usually uses the name server.ini. Click File - unload to unload it.
Once it is unloaded, you can delete it by typing /remove server.ini in your status window. If you have more than one copy of mIRC, read the next section to clean those versions.

mIRC Closed
Open Windows Explorer (Windows Key + E) and navigate to your mIRC folder. Locate and delete server.ini. If a #NoHack Moderator has told you a different file name, then delete that. This process must be done for every copy of mirc you have. Some versions only infect the c:\ drive, others infect every fixed drive, so you should check them all to be sure.

To change the mirc.ini file back to read/write go to each mirc folder that was infected and right click on mirc.ini, then click properties. Clear the check from the Read Only Line.

Image of properties dialog box

That's it!

For more information on Trojans and their removal, go to http://www.nohack.net/ You can also download a Trojan remover at http://www.lockdowncorp.com/bots/downloadswatit.html

nohack   lockdowncorp.com